[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] dns and named in chroot jail



Hi, 
 I wanna configure dhcpd and named in chroot jail for security reason. 
 Dhcpd and named work well but dhcpd does not update named and in the log files i have nothing that help me to understand the problem. 
 I use suse professional 9.1. 
 I read the document in /usr/share/doc/packages/bind but i do not know where is the problem. 
 Could you help me ? 
 Best regards, 
 Cristian Del Carlo. 
 
 
 My configuration is the following : 
 
 1) /etc/dhcpd.conf 
    default-lease-time 600; 
   max-lease-time 7200; 
   include "/etc/named.keys"; 
   authoritative; 
   allow unknown-clients; 
   ddns-update-style interim; 
   ignore client-updates; 
 subnet 10.1.1.0 netmask 255.255.255.0 { 
         range 10.1.1.101 10.1.1.185; 
         option domain-name "test.it"; 
         option domain-name-servers 10.1.1.1; 
         option subnet-mask 255.255.255.0; 
         option routers 10.1.1.1; 
         option domain-name-servers 10.1.1.1; 
         ddns-domainname "test.it"; 
         ddns-rev-domainname "1.1.10.in-addr.arpa"; 
 zone test.it. { 
         primary 127.0.0.1; 
         key DHCP_UPDATER; 
 } 
 zone 1.1.10.in-addr.arpa. { 
         primary 127.0.0.1; 
         key DHCP_UPDATER; 
 } 
 } 
 
 2) /etc/named.conf 
 
 acl PROVIDER { 192.168.9.30; }; 
 acl BIND { 10.1.1.1; 127.0.0.1/8; }; 
 acl RETELOCALE { 10.1.1.0/24; 127.0.0.1/8; }; 
 options { 
         directory "/var/lib/named"; 
         dump-file "/var/log/named_dump.db"; 
         statistics-file "/var/log/named.stats"; 
         forwarders { 192.168.9.30; }; 
         listen-on port 53 { BIND; }; 
         listen-on-v6 { any; }; 
         allow-query { RETELOCALE; }; 
         allow-transfer { none; }; 
         allow-recursion { RETELOCALE; }; 
         notify no; 
 }; 
 
 < .......> 
 
 include "/etc/named.conf.include"; 
 include "/etc/named.keys"; 
 zone "test.it" in { 
         type master; 
         file "test.it/master.zone"; 
         allow-transfer { 127.0.0.0/8; }; 
         allow-update { key DHCP_UPDATER; }; 
 }; 
 zone "1.1.10.in-addr.arpa" in { 
         type master; 
         file "test.it/10.1.1.0.zone"; 
         allow-transfer { 127.0.0.0/8; }; 
         allow-update { key DHCP_UPDATER; }; 
 }; 
 
 3) /etc/named.keys 
     key DHCP_UPDATER { 
     algorithm hmac-md5; 
         secret "<samething>"; 
 }; 
 
 4) /etc/sysconfig/named 
     NAMED_RUN_CHROOTED="yes" 
    NAMED_CONF_INCLUDE_FILES="rndc-access.conf /etc/named.keys" 
    NAMED_ARGS="" 
 
 5) /etc/sysconfig/dhcpd 
 DHCPD_INTERFACE="eth0" 
 DHCPD_RUN_CHROOTED="yes" 
 DHCPD_CONF_INCLUDE_FILES="/etc/named.keys" 
 DHCPD_RUN_AS="dhcpd" 
 DHCPD_OTHER_ARGS="" 
 DHCPD_BINARY="" 
 
 6) ls -al /var/lib/named 
    drwxr-xr-x 10 root root 4096 Sep 23 14:02 . 
 drwxr-xr-x 58 root root 4096 Sep 28 08:34 .. 
 -rw-r--r-- 1 root root 192 Apr 6 04:06 127.0.0.zone 
 drwxr-xr-x 2 root root 4096 Sep 28 08:27 dev 
 drwxr-xr-x 2 named named 4096 Apr 6 04:06 dyn 
 drwxr-xr-x 3 root root 4096 Sep 28 14:55 etc 
 -rw-r--r-- 1 root root 158 Apr 6 04:06 localhost.zone 
 drwxr-xr-x 2 named named 4096 Sep 24 12:07 log 
 drwxr-xr-x 2 root root 4096 Sep 23 14:02 master 
 -rw-r--r-- 1 root root 2517 Apr 6 04:06 root.hint 
 drwxr-xr-x 2 named named 4096 Sep 23 12:11 slave 
 drwxr-xr-x 2 named named 4096 Sep 28 18:54 test.it 
 drwxr-xr-x 4 root root 4096 Sep 23 09:31 var 
 



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here